STR: 1. Load the URL. 2. Crash. Attempting to insert an SVGLength that came from an SVGAnimatedLengthList's animVal into another SVGLengthList will cause a crash. I haven't looked to see if the crash is serious. Tested with Safari 7.0.5 (9537.77.4).
This crash is a null dereference; I doubt there is any security implication, and I suspect this is mis-categorized as a security bug. The bug seems to be in code in SVGListPropertyTearOff::processIncomingListItemWrapper, which calls SVGAnimatedListPropertyTearOff::findItem, which can’t handle an m_baseVal of nullptr. If I knew this code better, I might suggest fixing this by calling baseVal() inside findItem and in removeItemFromList rather than accessing m_baseVal directly.
(In reply to comment #1) > This crash is a null dereference; I doubt there is any security implication, and I suspect this is mis-categorized as a security bug. > > The bug seems to be in code in SVGListPropertyTearOff::processIncomingListItemWrapper, which calls SVGAnimatedListPropertyTearOff::findItem, which can’t handle an m_baseVal of nullptr. If I knew this code better, I might suggest fixing this by calling baseVal() inside findItem and in removeItemFromList rather than accessing m_baseVal directly. I asked Cameron to open it as security bug since I couldn't test it myself yet. If you have evidence that it is a normal crash, please re-categorize it.
OK, done.
Created attachment 235179 [details] local copy of test case
Crashes after trying to access a data member of m_baseVal, which is nullptr.
Blink doesn't have the issue, probably because of some refactoring on this code. Merge candidate tracked in: https://bugs.webkit.org/show_bug.cgi?id=125888
After https://bugs.webkit.org/show_bug.cgi?id=191237 is fixed and when opening the attached test case in WebKit, I get the following output: appending an SVG item that is in an animVal list of another element: - animVal list item remained the same object - an item was appended - the appended item was a copy of the animVal list item This is complies with SVG 2 specs: https://www.w3.org/TR/SVG2/types.html#__svg__SVGNameList__appendItem. Also this is the behavior of FireFox. *** This bug has been marked as a duplicate of bug 191237 ***